PayU Privacy Statement

WHO IS PAYU AND HOW DOES THIS PRIVACY STATEMENT WORK?

WHAT IS PERSONAL INFORMATION AND WHAT TYPES OF PERSONAL INFORMATION DO WE COLLECT ABOUT YOU?

HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

WHAT ARE THE LAWFUL GROUNDS THAT WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

PURPOSES FOR WHICH PAYU MAY PROCESS YOUR PERSONAL INFORMATION

WHOM DO WE DISCLOSE YOUR PERSONAL INFORMATION TO OR SHARE IT WITH?

MARKETING

COOKIES AND SIMILAR TECHNIQUES

INTERNATIONAL DATA TRANSFERS

DATA RETENTION

WHAT ARE YOUR INDIVIDUAL RIGHTS?

SECURITY: HOW WE PROTECT & STORE PERSONAL INFORMATION

MINORS

CHANGES TO THE PRIVACY STATEMENT AND YOUR DUTY TO INFORM US OF CHANGES

HOW TO CONTACT US

The purpose of this privacy policy is to give you information on how PayU collects and processes your personal data when you use our Website, or payment platforms (“Platforms”). This includes any personal data that you provide to PayU through this Website i.a. when you submit personal data on our business enquiry form so that PayU may contact you to explain our service offering to you.

“PayU”, “us” or “our” in this privacy policy refers to the PayU S.A. with registered office in Poznań (Poland), entity that is responsible for processing your personal data.

Our full details are: PayU S.A. with the registered office in Poznań, Poland, 60-166 Poznań, at ul. Grunwaldzka 186, entered into the Register of Entrepreneurs kept by the District Court for Poznań – Nowe Miasto and Wilda in Poznań, 8th Commercial Department of the National Court Register under KRS number 0000274399, having a tax identification number NIP: 779-23-08-495, a domestic payment institution supervised by the Polish Financial Supervision Authority, entered into the Register of Payment Services under number IP1/2012.

PayU shall be data controller of your personal data, i.e. we are responsible for the use of your personal data in a secure manner in accordance with applicable law, particularly according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and in certain cases according to the agreement you have concluded with us.

Please read this Privacy Policy and the additional information related to the services offered by PayU. If have any questions, please contact us under e-mail address indicated below.

“Personal information” means any information relating to an identified or identifiable individual. Depending on who you are (e.g., a merchant, customer, cardholder, consumer, supplier or business partner) and how you interact with us (e.g., telephone, online or offline), we may collect, use, receive, store, analyze, combine, transfer or otherwise process different categories of personal information.

Below is a table reflecting the categories of personal information we may collect about you:

How we collect personal information will depend on the following broader situations:

1. If we receive or collect it directly from you

We may collect personal information directly from you in different ways on our Websites, Apps, Platforms or product or service offerings. For example, you may give us your personal information when you:

• give us your contact information so that we can contact you about our services and products;
• conclude a contract or verify with us who you are (whether by email, phone or electronic verification);
• apply for our products or services directly with us or through our appointed suppliers (such as marketplaces or credit providers) or initiate an account-based relationship with us;
• scan a QR code which requests you to provide your personal information to us to process a payment for you on behalf of one of our merchants or if you are using one of our own payment products;
• are prompted to give us your contact and payment information on our web-checkout /payment pages or via other similar channels;
• enter a competition, promotion or survey or you ask to have marketing materials sent to you;
• send us a support request through one of our support desks; or
• access and browse our Website(s), Apps and Platforms – to learn more see our Cookie Policy.

2. If we collect personal information from third parties, or from publicly available sources

We obtain personal information through third parties or, if publicly available, where permitted under applicable law, including:

• from our merchants, payment partners and financial institutions. For example, a merchant can offer you various ways to pay for their goods or services (credit or debit or hybrid card, electronic fund transfer (EFT), wallet, mobile money, loyalty credits) and the payment would be settled into the merchant bank account held by an authorized financial institution. In such situations, the merchants, payment partners and financial institutions are responsible for your personal information, but we may collect such personal information so that the payment transaction can take place. We encourage you to read such third parties’ privacy statements to learn more on how they process your personal information.
• from social platforms and networks when you give us permission to do so. For example, depending on your social media settings, if you choose to connect your social media account to a PayU product, certain information from your social media account will be shared with us (which may include information that is part of your profile).
• from financial institutions and fraud prevention agencies for the purposes of conducting fraud and risk assessments or analysis. For example, before we provide services, goods or finances to you (as applicable), we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to collect information about you.
• from third parties who have entered into contracts with us to assist us with our business operations;
• from public sources, both publicly available (e.g. the CEIDG database) and requiring your authorisation (e.g. the service of transferring your data from the mObywatel application) in accordance with applicable laws in your country;  
• from credit reference agencies, credit bureaux, or banks in accordance with applicable laws. For example, if PayU offers credit and lending products in your country, certain credit reference agencies or bureaux will provide us certain information about you to conduct a credit check or credit assessment; or
• from third parties within the group of companies to which PayU belongs, including its affiliates and subsidiaries, subject to applicable laws.

We process personal information only when we have a valid legal ground to do so. Most commonly, we use your personal information where:

• it is necessary to process your personal information in connection with the performance of a contract that we have with you directly or indirectly;
• it is necessary for our legitimate interests (or the legitimate interests of a third party). We make sure that your fundamental rights are not overridden by our legitimate interests;
• we use your personal information to comply with our legal obligations – for example, ensuring that we use your personal information to comply with anti-bribery and anti-money laundering requirements;

We may seek your explicit consent where the applicable laws require us to do so.

There can be additional legal grounds for processing personal information in some countries. This depends on applicable law and the products and services offered to you.

1. To verify, authenticate and authorize your use of our products or services

To conduct ‘Know your Customer’ and risk assessments in order to authenticate and authorize your use of our products or services depending on if you are a merchant, consumer or customer, and your choice of service or product. The type of personal information typically required is Identity, Contact and Financial information. This is necessary in order for PayU to assess your application under contract and necessary for our legal obligations under certain laws.

2. To process payment transactions made through our Platforms

The types of personal information we require to provide a product or service and the legal ground depends on the specific payment methods made available by PayU in your country.

PayU offers multiple types of international and local payment methods, which are subject to product specific service terms (contracts) and legal obligations. For example, when PayU offers card payment processing as a payment’s aggregator on a Platform, PayU processes personal information received from merchants such as transaction details, and if payment is by card (cardholder details such as name on card) in order complete the payment by you to the merchant to purchase a product or service. In other cases, certain payment transactions require you to provide personal information directly to us onto our Platform in order for us to process a transaction – in that instance the purpose is to process the payment for you.

3. To protect our business and to ensure compliance with the law

We process personal information to meet the requirements of applicable laws, regulations, standards, rules, codes and the requirements of financial institutions with which PayU must comply. This includes:

• authenticating and validating payments to mitigate and protect against identity theft or fraud. To do this, some of your personal and non-personal information may be collected by PayU directly or delivered to PayU by merchants. PayU will use this personal information to enter into the PayU fraud systems available for this validation and will remain there for future reference and cross-reference of information required to validate the payments;
• consulting and reporting your personal information and behaviour on monetary obligations to legitimately constituted credit, financial, commercial or service risk centres, or to other financial institutions, under applicable law;
• verifying your identity and comparing your information to verify accuracy for reporting obligations under applicable law or payment scheme rules;
• processing your personal information if you exert your right of refusal on purchases made or if your transaction is, for example, the subject of payments dispute or chargeback with a financial institution; and
• processing your personal information to ensure business continuity of our businesses and appropriate disaster recovery for our Websites, Apps, Platforms, services and products.

4. To manage our relationship with you

If you contact us or otherwise give us your Contact information (for example by registering, by completing an enquiry form on our Website/s, or by subscribing to receive support, and service status communications from us or security or fraud monitoring alerts), we may process your personal information:

• to inform you about your products or services with us and any changes to these products or services and any associated legal documents;
• to notify you if there is any interruption of services or products;
• to ask you to provide information on how we can improve or develop services or products and to otherwise effectively communicate with you;
• to provide you with service assistance and problem solutions or to contact or send you notifications related specifically to the services or products we offer you;
• to use your personal information in transactional or fraud monitoring reports (or both) as part of the performance of our contract. You have the option to unsubscribe from such reports in accordance with the terms of our contract. Be sure to check with your finance team before you unsubscribe.

5. To market our products and services and related services to you

We may use personal information to market our products and services and to notify you about events, offers, sponsorships, marketing programmes and similar marketing campaigns. Please see MARKETING.

6. To conduct research and to develop and improve our products and services

We may use personal information that we collect:

• to research and gain insights into market trends and needs and to develop or innovate our technologies, products and services to meet such market trends and needs. We may use machine learning and artificial intelligence techniques to conduct research to gain such insights;
• to analyze visitor use of our Websites, Apps, products or services in line with this Global Privacy Statement and our Cookie Policy;
• to improve and personalize our merchant and customer relationships;
• to provide merchants with statistical insights and reports based on data we receive from them;
• to use your personal information, in line with applicable laws and regulations, so that we can provide credit analysis and related credit services.

• We may share personal information with internal third parties, being third parties from the group of companies to which PayU. We may disclose your personal information to those companies, to:
  • provide support services and technical services to these internal third parties and to receive some of these services from them;
  • contribute to the research, data analytics and studies in order to improve the products and services that PayU and other internal third parties respectively provide.

• We may share your personal information with external third parties such as:
  • merchants in accordance with our service agreements (also referred to as our terms and conditions or contracts). For example, to process a card payment, we may need to share a customer’s credit card details to the merchant that the payment relates to. If you are buying goods or services through PayU services, we may also provide the merchant with your credit card billing address to help complete an individual’s payment transaction.
  • authorized financial institutions and banking partners with whom we partner to jointly create and offer products and services. Depending on the type of payment chosen by the customer, payer or buyer, PayU will share the information with the financial institutions that validate and process each means of payment for corresponding approval, validation, and settlement. This means that your personal information may be collected for those purposes by financial issuing institutions for the means of payment, acquiring financial institutions, payment processing networks, franchises such as Visa, MasterCard.
  • marketplaces cooperating with us, if obtaining personal data by these entities is justified by law, e.g. in connection with the obligations to identify or verify users of online platforms. 
  • credit bureaus and credit providers to report financial information and to conduct mandated credit scoring to determine affordability, as strictly permitted by law.
  • service providers or vendors under contract who assist us with our business operations.
  • companies that we plan to merge with or entities that we may be acquired by, in which situation we will require that the new combined entity or the acquiring entity follow this full privacy statement with respect to your personal information.
  • when required by law enforcement, government officials, fraud detection agencies or other third parties and when we are compelled to do so by law (such as via a subpoena, court order or similar legal procedure).
  • international entities we partner with for the offer and/or development of products and services subject to the requirements under this Statement and applicable laws.

PayU takes all reasonable measures to ensure that every third party involved in the processing of your personal information has the required organizational and technical protections in place, including the required data processing and transfer agreements where this is necessary. When required under applicable law, we may provide you with a list of our sub-processors or suppliers upon request, by contacting us at this address.

You may receive marketing communications from PayU, for example, if you have:

• requested more information from us;
• provided your Contact information to us in order to retrieve content or communications from us, including any research papers, insights or studies conducted by us;
• subscribed for services or products from PayU; or
• entered into a promotional campaign, offer or survey or loyalty programme and provided your contact details to participate in such activity. PayU may run these marketing activities directly or with promoters.

The provision of such marketing activities is subject to the applicable laws of the country that the marketing and communication activity occurs. We keep a register of Marketing and communications personal information that is used by us. You are entitled to opt out from receiving such marketing by clicking on the opt out or unsubscribe link(s) provided in such PayU marketing communications. 

Depending on the applicable laws in the PayU local business’ country, you may also be required to opt- in before receiving any marketing communications from PayU.

PayU may also use Marketing and communications personal information in order to improve and customize the content of our ads, promotions and advertising that may be of interest to you. 

PayU uses cookies, web beacons and similar techniques (“cookies”) when you access our Websites or Apps.

A cookie is a small text file containing a string of alphanumeric characters (numbers and letters). We explain how we use cookies on each of our applicable Websites or Apps and the choices you, as a visitor to each Website or App, have when it comes to our use of cookies here (our Cookie Policy for Website or App that you reading this Privacy Statement from).

We are a global company with a global footprint.

Your personal information may be processed either locally in the country where you work or reside, or in any other country where we or our approved third-party service providers operate, worldwide, as permitted by law. Should your personal information move outside the European Union (EU) or the European Economic Area (EEA) or from another country that restricts transfers of personal information, we use the EU Commission’s standard contractual clauses (as may be amended from time to time) or other locally-compliant transfer mechanisms outside the EU/EEA, such as consent or local transfer agreements to ensure that an adequate or a same level of protection is applied to your personal information as the one afforded in the country of origin.

PayU may store your personal information for as long as required for the fulfilment of the purposes for which we collected it. The retention of personal information by PayU is determined by considering compliance with legal (contractual or statutory requirements), accounting and compliance reporting requirements. For this example, preventing fraud and to prevent anti-money laundering and combat anti-corruption and financing of terrorism.

PayU also takes into consideration the temporary limits established in the commercial or data privacy laws, as well as in other relevant laws, in the different countries in which PayU provides its services.

We ensure that you may exercise your individual privacy rights under applicable privacy and data protection laws. This means that PayU seeks to provide reasonable assistance to cater to requests from individuals regarding the processing of personal information and the right to access, delete, erase, amend and withdraw permission to the processing of personal information.

Depending on the applicable laws in your country, you may have certain rights under data protection law. For example, under the GDPR, you can exercise the following rights:

• access your personal information (access rights): You have the right to ask us if we process personal information that relates to you and you may ask us to provide you with details of the personal information we process about you (as required under applicable laws).
• correct or rectify your personal information: You can ask us to have inaccurate personal information we process about you fixed or changed.
• erase your personal information: You can ask us to delete or erase personal information under certain circumstances if the personal information is no longer needed for the purposes for which we collected them (subject to local data retention legal obligations).
• withdraw your consent: You may withdraw a consent to processing that you have given us and prevent further processing if there is no other legal ground (including legitimate interests) for processing your personal information.
• restrict the processing of your personal information: You can require certain personal information to be marked as restricted for processing in certain circumstances, such as an objection to our processing of your personal information based on our legitimate interests.
• request data portability: You can ask us to transmit your personal information that you have provided to us to a third party in a machine-readable form.
• object to automated decision making, including profiling, if these decisions produce a legal effect on you.
• raise a complaint: You can raise a complaint about our processing of your personal information with the data protection regulator or applicable authority in your country. In the EEA, you can find the full contact details of your National Data Protection Authority online here.

Please submit at this address if you would like to exercise any of the above rights. These rights are limited in some situations, such as where we are legally required to process your personal information, and this may limit your ability to use some of our products and services.

If you have a question relating to the rights and choices available to you in your country outside of the EEA, you can click here to know more about this.

The security of your personal information is important to PayU. PayU takes legal, technical and organizational measures that it considers necessary in order to maintain the confidentiality and security of your personal information, with due regard to the applicable obligations and exceptions under the legislation in force.

In addition, PayU follows the payments industry standards regarding the protection of payment card information. Each local business is regularly audited to maintain the highest level of security certification with the Payments Card information Security Standard Council (PCI) in respect of protecting card data.

PayU regularly reviews its policies regarding the collection, storage and processing of your personal information, including physical security measures, to prevent alteration, loss, query, use or fraudulent or unauthorized access of your personal information.

PayU has put in place procedures to deal with personal information breach and will notify you and any applicable regulator or authority of a breach where we are legally required to do so.

PayU does not voluntarily or actively collect, use or disclose personal information of minors, according to the minimum age equivalent in the relevant jurisdiction, without the prior consent of the parents or guardians of the minor.

The services of PayU are not intended or designed to attract minors.

If we learn that we collected the personal information of a minor, without first receiving a verifiable parental consent, we will take steps to delete the information as soon as possible.

This Privacy Statement may change over time. The recent version of this Privacy Statement is published on this Website.

This version was last changed on April 15, 2024. 

We will notify you of any changes to this Privacy Statement by publishing this on our Website. You can print or store this Privacy Statement by downloading a copy from your browser.

To view PayU Global Privacy Terms required under applicable law, please click here.

It is very important that any personal information we hold about you is up to date and correct. Please inform us of any changes to your personal information

Our contact details are:  PayU S.A., Grunwaldzka 186, 60-166 Poznań, Poland, contact form.

PayU has appointed a global privacy officer (CPO) and a Data Protection Officer (DPO) – Karolina Miksa.   You can contact us at this address.